To answer my own question: I have also granted the IdentityProvider.Read.All permission and the script went through.
Trouble executing a Graph API function with my App / Granted permissions not recognized by Graph API
Dear Community,
I am trying to set up an AD B2C-based signup-or-signin flow using e-mail/password or the Google identity provider. To make the process reproducible, I would like to develop a script (ideally az cli-based or by using az rest calls to whatever APIs necessary) which does this for me.
I didn't find a means to set up the B2C tenant programmatically, so I created one manually. Let's say its id is stored in $b2cTenantId.
I have created the app registration (all variables are properly set) and generated a secret.
$app = az ad app create `
--display-name $appRegistrationName `
--sign-in-audience "AzureADMultipleOrgs" `
--web-redirect-uris $webRedirectUris `
--public-client-redirect-uris $mobileRedirectUris `
--query '{appId: appId, objectId: id}' | ConvertFrom-Json
$appId = $app.appId
$appObjectId = $app.objectId
$clientSecret = az ad app credential reset `
--id $appId `
--append `
--display-name "AuthSecret" `
--years 1 `
--query 'password' -o tsv
After that I granted the necessary Graph rights to my App (and verified that they were added and the admin consent was granted)
# To add the provider to the user flow
$permissionId = az ad sp show `
--id 00000003-0000-0000-c000-000000000000 `
--query "appRoles[?value=='IdentityUserFlow.ReadWrite.All'].id" `
--output tsv
az ad app permission add --id $appObjectId `
--api 00000003-0000-0000-c000-000000000000 `
--api-permissions $permissionId=Role
# To actually create and configure providers
$permissionId = az ad sp show `
--id 00000003-0000-0000-c000-000000000000 `
--query "appRoles[?value=='IdentityProvider.ReadWrite.All'].id" `
--output tsv
az ad app permission add --id $appObjectId `
--api 00000003-0000-0000-c000-000000000000 `
--api-permissions $permissionId=Role
# To make the permission effective, we need to give admin consent
az ad app permission admin-consent --id $appObjectId
Then I logged in as the App
az login --service-principal --username $appId --password $clientSecret --tenant $b2cTenantId --allow-no-subscriptions
Then, I added the signup-or-signin userflow
az rest --method post `
--uri "https://graph.microsoft.com/beta/identity/b2cUserFlows" `
--headers '{\"Content-Type\": \"application/json\"}' `
--body ('{\"id\": \"' + $policyName + '\", \"userFlowType\":\"signUpOrSignIn\", \"userFlowTypeVersion\": 3}')
It worked: The IdentityUserFlow.ReadWrite.All-permission I have granted before was correctly used here!
But now, when I try to add the Google Identity Provider
az rest --method post `
--uri "https://graph.microsoft.com/beta/identity/identityProviders" `
--headers '{\"Content-Type\": \"application/json\"}' `
--body ('{\"@odata.type\": \"microsoft.graph.socialIdentityProvider\", \"clientId\": \"' `
+ $env:GOOGLE_CLIENT_ID + '\", \"clientSecret\":\"' + $env:GOOGLE_CLIENT_SECRET + '\",' + `
'\"identityProviderType\": \"Google\", \"displayName\" : \"Google Auth Provider\", \"id\": \"' + $GoogleAuthId + '\"}')
it fails with and error
ERROR: Forbidden({"error":{"code":"AADB2C","message":"The application does not have any of the required application permissions (IdentityProvider.ReadWrite.All) to access the resource. ","innerError":{"correlationId":"6c44586d-xxxx-xxxx-xxxx-79e09fcdbdc5","date":"2025-01-26T18:54:17","request-id":"d0a67892-xxxx-xxxx-xxxx-f355e27be175","client-request-id":"d0a67892-xxxx-xxxx-xxxx-f355e27be175"}}})
But I have explicitly checked that the permission for the app exists and creating user flow with this method worked alright! What am I missing here?